Malware Spreading Swoop Avails of US Air Operators Names

The last two weeks, inboxes around the world swamped in the newest muddy spam campaign purporting to deliver e-Tickets and invoices for the alleged customers of a so-called “Buy Airplane Ticket Online” service. You guessed – behind the apparently harmless zip archives is a brand new and improved cargo of malware.

 

 

 

With tropical destinations almost out of the picture, but school and work days approaching at the supersonic speed, probably the same “bad guys” behind the summer spam wave edition thought to give it another try. Same template, another mass-mailing – but with different “borrowed” flyers and some extra mischievous toppings.

 

 

Instead of hot July’s JetBlue Airways spoofed identity, autumn brought in the spotlight the other US air companies Delta Air Lines, Virgin America, United Airlines, Continental Airlines, but also Southwest Airlines, Northwest Airlines, Midwest Airlines, as well as other operators including cardinal points within their names. Also beware of the following counterfeit messages sent on behalf of operators with a more exotic resonance: Sun Country Airlines, Spirit Airlines, Allegiant Air, Frontier Airlines, AirTran Airlines, Hawaiian Airlines and Alaska Airlines.

As for the malware flavors, we have our “good” old buddies Trojan.Spy.Zbot.KJ and Trojan.Spy.Wsnpoem.HA – you probably remember when we have acquainted you with them during the forged UPS® and FedEx® e-mails –, but also, the “challenger” Trojan.Injector.CH .

 

Both old and new comers have rootkit components that help them to install and hide themselves on the compromised machine either in the Windows or Program Files directory. They inject code in several processes and add exceptions to the Microsoft® Windows® Firewall, providing backdoor and server capabilities. They all send sensitive information and listen on several ports for possible commands from the remote attacker. The Trojans also attempt to connect and download files from servers with domain names apparently registered in the Russian Federation.

“Users should be aware that without the appropriate security solution the integrity of their systems is at an extremely high risk. The Trojans this new malware distribution campaign delivers and the high rate of infections prove once again not just the cybercriminals ingenuity, but also the lack of interest the users show in terms of systems’ defense and sensitive data protection.” said Sorin Dudea, Head of BitDefender® Antimalware Research.